Reset, Refresh, Return, Revitalise

GDPR - Are you liable for data breaches by rogue employees?

The Court of Appeal recently dismissed an appeal by Wm Morrison Supermarkets Plc against a High Court ruling that it was vicariously liable for an employee’s deliberate disclosure of co-workers’ personal data on the internet.

Although this case has been decided in our new GDPR world, the law being considered was under the Data Protection Act 1998, and in particular the seventh data protection principle which states that data controllers must take

“…appropriate technical and organisational measures…against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, and damage to, personal data.”

It is a well-developed principle that employers can be held vicariously liable for the misdeeds of their employees if the wrongdoing by the employee is sufficiently or so closely connected with their employment to make it just and equitable to find the employer responsible.


As was widely reported, in this case the employee was an internal IT auditor who developed an unhealthy grudge against Morrisons and copied the personal data, including payroll data, of a large number of employees (almost 100,000) onto a USB stick.   He then took the stick home and posted the data on the internet, using another employee’s details in an attempt to conceal his actions.  This employee was separately convicted of criminal offences and was imprisoned for a significant period of time.

Vicarious Responsibility

Around 5,500 of the employees whose data had been released brought a class action against Morrisons, ultimately trying to secure an award of damages, under the Data Protection Act 1998, against them for the loss and injury they suffered.  Whilst they were unsuccessful on this point, the High Court held that there was a sufficient connection between the position in which the IT auditor was employed and his wrongful conduct to justify holding Morrisons vicariously liable for his actions, giving the employees an opportunity to recover compensation.

Morrisons appealed to the Court of Appeal on 2 main grounds: (1) there could be no vicarious responsibility because the Data Protection Act 1998 set out the only available remedies, and (2) the employee’s wrongdoing did not occur in the course of his employment.

Unfortunately for Morrisons, the appeal was unsuccessful’ leaving Morrisons liable to the 5,518 claimants.


On a wider level, this case demonstrates that employers may now be liable for the misuse of personal data by a rogue employee even if they are otherwise compliant with data protection legislation, and even if the wrongdoing was intended to harm them.

As well as the potential value of compensation, it also opens the door to an inspection by the Information Commissioner’s Office, who could also fine the employer for failing to take adequate security measures to protect personal data or otherwise for not complying with data protection legislation.

The only comfort for Morrisons is that the level of damages will be assessed under the old law, i.e. the Data Protection Act 1998.   Article 82 of the GDPR provides the right to claim compensation for breaches for damage from controller or processors and we have already seen a ramp up in the infrastructure of an industry ready to make data breach claims on behalf of employees, or even customers.

Morrisons has indicated its intention to appeal this judgment to the Supreme Court so we may not yet have the final word on the question of vicarious liability.  Watch this space!

The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.


Sign up to our News & Insights!